Home Business IT Security Microsoft pays out $100K for new exploit technique


JUser: :_load: Unable to load user with ID: 3653

Microsoft pays out $100K for new exploit technique

  • 10 October 2013
  • Written by 
  • Published in Security

One plucky hacker has earned  a massive payday courtesy of a bug in Microsoft's Windows OS, pocketing a $100,000 reward for discovering a critical vulnerability.

British-based white-hat hacker James Forshaw from Context Information Security came up with a way of exploiting Windows applications that, according to various sources, overcomes systemic protections such as Address Space Layout Randomization and Data Execution Prevention in Windows 8.1 Preview. Microsoft has ponied up $100,000 for the information.

The tech giant announced back in June that it would join other like-minded companies like Google and Mozilla in paying external hackers to research vulnerabilities, offering up to $11,000 for critical vulnerabilities discovered in the Internet Explorer 11 beta  and up to $100,000 for any technique that bypassed Windows' built-in exploit mitigation schemes.

Forshaw jumped at the chance and had already discovered design level bugs during the IE11 Preview Bug Bounty, bringing his total earnings to $109,400.

"James already came in hot with design level bugs he found during the IE11 Preview Bug Bounty, and we're thrilled to give him even more money for helping us improve our platform-wide security by leaps," said Katie Moussouris, senior security strategist at the Microsoft Security Response Center in a blog post.

"While we can't go into the details of this new mitigation bypass technique until we address it, we are excited that we will be better able to protect customers by creating new defenses for future versions of our products because we learned about this technique and its variants."

Microsoft said that unlike Mozilla for example, it is not paying for individual bugs but was instead offering the $100,000 scheme for entire classes of exploits.

"The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack," the company said.

"This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications."

As we reported yesterday Danish-based startup CrowdCurity is also offering bounties for hackers, and is actively looking for small-to-medium sized businesses who want their security tested.


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?